Summit 7 Team Blogs

Office 365 DFARS Frequently Asked Questions (and Answers) - Part 4

There are a lot of questions surrounding the upcoming DFARS requirements for DoD Contractors. What does it mean for your business? What happens if you're not compliant in time? To help guide you through the process, here are some questions and answers that you may need to know.

19. If a device is compromised but it is a personal device, how do we gain access to clear up the breach?

Office 365 MDM and Intune have the ability to remove Office 365 based company data from an employee’s device while leaving personal data in place.

We must first limit cloud data to ONLY approved Microsoft and corporate apps, and isolate that content from other 3rd party device applications. Next, we restrict data copy between these apps and other mobile apps. We must perform many other steps, such as blocking copy/paste, prohibiting cloud backups of Microsoft app data, and securing the app with a PIN or passcode.

It’s important to know that app security is in addition to the device security. It’s one thing to secure the device, but if you will be transmitting sensitive information we must also ensure data leakage does not occur between apps, and therefore unapproved locations. Last, only by limiting the apps that can access our Office 365 data can we perform a selective remote wipe, and not impact the user’s other device content.

20. Our current set up is a jumble, how can we clean up and classify information that is sensitive or not, and move it to Office 365?

While there isn’t a single tool for this, there are a suite of tools for on-premises file shares, SharePoint, and Office 365 that can assist. These toolsets can help you manage content once it is moved into Office 365 and content that is originally created within Office 365.

More importantly, we must first understand the desired and compliant end state, before fixing your current data. Once we have a good information architecture, we can then begin migration planning and cleanup of current data. Consider phasing in your data. Begin identifying the likely areas hosting your most critical data and address those first.

21. Does O365 encrypt files in SharePoint Online and OneDrive for Business?

22. Can O365 perform content scanning to see if sensitive information is in the wrong place and is exposed?

23. Are encryption keys kept by Microsoft or my company?

Microsoft provides storage volume based BitLocker encryption across all of Office 365 and the keys used for BitLocker are Microsoft based. However, Microsoft offers a capability known as Advanced Encryption. This allows a customer to create their own encryption keys to encrypt data across all their tenant.

This leverages the Azure Key Vault Service and Bring Your Own Key (BYOK). Microsoft also supports leveraging BYOK for Azure RMS implementations that can allow you to control encryption of content beyond the Office 365 tenant environment.

Note: This FAQ is part of a series. Check out the previous FAQ's here: FAQ #1, FAQ #2, andFAQ# 3.

Be sure to subscribe and get notified when there's a new post, or check back soon for the next post in the series!